Adware Programs Pose as Popular Apps, Root Android Devices

Mobile security firm Lookout detected thousands of samples of malicious adware masquerading as legitimate applications, but which root victims' systems to reap a few dollars in ad revenue.

Over the last year, a trio of pernicious Android adware programs have been posing as popular apps and then been taking complete control of the devices on which they run, according to report from mobile security firm Lookout.
The three adware programs—known as Shedun, Shuanet and ShiftyBug—are interconnected families whose developers appear to share code. While adware—and other potentially unwanted programs—are known hazards for Android users, these latest programs have become much more malicious, masquerading as popular apps—such as Candy Crush and Facebook. When the program is run, it installs the app but also takes control of the device and installs adware.
In the past year, the adware programs have accounted for 20,000 malware samples, each repackaging a different, but legitimate, app, according to Lookout. Anyone who installs the apps will quickly find their device rooted, Michael Bentley, Lookout's head of research and response, told eWEEK.
"About 30 seconds after you install what seems to be a popular app, the application installs components into the system directory," Bentley said. "Other apps do not have access to remove code from the system directory, so the malware now has persistence on the victim's device."

While many potentially unwanted applications, such as adware, target the Android platform, most do not try to gain control of the device. Removing the run-of-the-mill unwanted programs is not too difficult, Lookout said, but the three new programs identified are much harder to remove, requiring technical knowledge.

Among the 20,000 legitimate apps used by the adware's operators to entice users are Candy Crush, Facebook, GoogleNow, NYTimes, Snapchat, Twitter and WhatsApp, Lookout stated. The attackers appear to use an automated system to crawl Google's store, download a selection of legitimate applications and modify them to install the adware. The attackers likely receive almost $2 per install, according to Lookout.
The good news is that users who do not allow the downloading of third-party sources of software—and just download apps from the Google Play store or Amazon's Appstore—are not at risk from the modified applications. Google quickly removes unwanted and malicious programs from its app store and estimates that less than 1 percent of users are affected by such applications.
The three programs appear to use much of the same code, suggesting that their creators are in communication with one another, according to Lookout. The company's security researchers analyzed samples of the three and found certain variants had 71 percent to 82 percent code similarity. While it's possible that the same group is behind the three adware families, Lookout researchers believe that the developers are sharing—or stealing—some code from the others.
"We think these are three distinct actors," Bentley said. "The reason we believe this is because the groups are operating at different levels of sophistication."